Campus Policy Number: 250-10
Audits
Policy Owner: Internal Audit
Effective Date:10/15/93
- AUDIT SCHEDULING
- AUDIT APPROACH
- Conduct pre-audit meetings with auditees to discuss the audit program and objectives, and to solicit suggestions and assistance from them;
- Discuss audit observations with those directly concerned and actively seek their help in developing proposed solutions;
- Provide the auditee with interim information on audit observations so that steps toward implementation of recommendations might be taken before issuance of the final report; and
- Approach the audit in a constructive manner, emphasizing that audit recommendations are guides for improvement.
- AUDIT PROCEDURES
- Audit Notification
- Entrance Meeting
- Preliminary Survey
- Audit Program
- Field Work
- Audit Report
- (a) Exit Conference Review
- (b) Response
- (c) Distribution
- Audit Follow-up
- EXTERNAL AUDIT COORDINATION
- REPORTING ALLEGED IMPROPER ACTIVITIES
- OTHER POLICY REFERENCE
There is no set pattern for scheduling individual audits. Audits determined on a campus level are scheduled in accordance with the formalized University of California Internal Audit long range planning process. Application of the process results in a prioritized listing of audits based upon an estimate of each auditable activity's total operational risk. Total risk is determined by analyzing various objective and subjective risk factors such as: time since last audit, quality of internal control, dollar amount and liquidity of operational resources, etc.
Certain audits are mandated on a University-wide basis and are referred to as CORE audits. These audits are determined using specific risk analysis methodology. Instead of specific departments these auditable activities are functional in nature, such as: cash receipts, non-payroll disbursements, payroll, etc.
Each year the IAD manager prepares a preliminary campus audit plan to be reviewed by the Campus Audit Committee who forward their recommendations to the Chancellor. The Chancellor approves or rejects the plan. An approved plan is then forwarded to be sanctioned by the University Auditor, the Internal-External Audit Coordination Committee, and The Regents' Committee on Audit.
The usefulness of the audit is enhanced when the auditee participates throughout the audit and assists in developing feasible solutions. The audit approach used by IAD includes this concept of participative auditing. Specific measures taken to promote this constructive interaction with the auditee includes:
Unless the audit is of special nature, the following steps are taken:
The Internal Audit Department communicates with the department head, indicating the date the audit will begin, the purpose of the audit, and other general information about the audit process.
The internal auditor conducts an entrance meeting with the department head, if available, and business manager (usually a Management Services Officer in an academic department) to discuss the scope of the audit, field work, audit report, and follow-up. Department management should present at this meeting any questions on the proposed audit or specific concerns they would like reviewed.
On most audits, the auditor conducts a preliminary survey to become more familiar with the unit and the activities being audited. The preliminary survey can involve information gathering, flow charting, review of the unit's objectives, and identifying key areas of control. As a result of the preliminary survey, the auditor develops an audit program that concentrates on selected matters.
The auditor develops a detailed plan of action for the audit field work. The audit program can provide for review of policy compliance, effective use of resources, achievement of management objectives, and safeguarding of assets. Department management may request that the audit program be reviewed with them prior to commencement of field work.
During the field work phase of the audit, the auditor accumulates, classifies, and appraises information to measure and evaluate the effectiveness of management controls. The auditor must access records and personnel on audit-related matters during this time, but will attempt to perform the necessary tests and analyses so that interruption of the operation is minimal.
The auditor will discuss with departmental management throughout the audit where improvements or corrective action may be appropriate. Communicating with the auditee helps the auditor understand the operations, identify problems, and recommend workable solutions. Also, it allows the auditee an opportunity to take immediate action if needed.
Upon completion of the field work, the auditor prepares an audit report draft that contains a management summary and sections on background, audit purpose, scope, significant observations, and recommendations. Reviews of the draft report will begin with those people having direct responsibility for an area or condition needing corrective action. Thus, suggestions for changes, objections to phrasing, or questions on facts can be considered and addressed by the auditor before the draft is reviewed by higher departmental management.
While the IAD is not adverse to changes that will improve the report, an audit opinion cannot be compromised. Top management wants, expects, and is entitled to the auditor's opinion. The draft review process is designed to ensure proper interpretation of what the auditor has written and, if there should be serious disagreement on interpretation of the facts, the report should clearly set forth the positions of both the auditor and the operating manager for the benefit of higher management.
The auditor and departmental management review and discuss the audit report draft at the exit conference.
It is the auditor's responsibility to make recommendations to correct control weaknesses. It is management's responsibility to initiate a corrective action, establish policy, and make the actual operational decisions. Management does not have to adopt the recommendation of the auditor; they have the authority to decide what corrective action to take. However, the auditor has the responsibility for evaluating whether the action does, in the auditor's opinion, correct the noted deficiency.
Following review with higher departmental management, a written management response to each observation is required. The reply should address each audit observation and indicate the management action taken or planned.
For a fair presentation, the response is included in a revised report draft if received within 30 days from request; otherwise, the audit report is issued without an incorporated response. An informational copy of this draft is provided to the Vice Chancellor -- Administration and executive management that departmental management reports to.
After the departmental review, the IAD prepares the written report in a final format and distributes it to (a) the head of the audited department, (b) Campus Audit Committee members (generally via electronic mail), and (c) The University Auditor.
Release of audit reports and responses, and access to audit working papers will be based on the "need or right to know" as determined by appropriate management.
During the year after an audit report has been issued, the IAD will perform a follow-up. The purpose of this is to ensure that the action stated in the department's response has been implemented and has effectively corrected the deficiency. This follow-up may take the form of a discussion or perhaps a limited audit. An audit remains open until the IAD has evaluated the management action taken.
The Accounting Officer coordinates action on any external audit matter that may involve UC Riverside.
See the UC Riverside implementing procedures for "Reporting Improper Governmental Activities and Protection Against Retaliation for Reporting Improper Activities," distributed under the auspices of Labor Relations.
Business and Finance Bulletin G-29 (Revised July 1, 1992); Procedures for Investigating Misuse of University Resources.